We use cookies to customise content for your subscription and for analytics.If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further information please read our Cookie Policy.

SEC, FBI Remind Firms to Ensure They Meet Cybersecurity Obligations

Two recent events should serve as the latest in a series of reminders that cybersecurity risk management – including breach prevention, monitoring, and response or mitigation measures – should be among the top priorities for all fund managers and investment firms.

The first reminder was at the annual SEC Speaks conference in Washington, D.C., held in late February 2016, where a senior SEC enforcement official said the agency would continue to pursue cybersecurity enforcement actions related to three main themes: (i) the failure to safeguard confidential information, (ii) the theft of nonpublic information for illegal use in market activities and (iii) the failure by a public company to disclose a cybersecurity-related incident.

Significantly, Stephanie Avakian, deputy director of the SEC’s Division of Enforcement, said that companies found to be withholding information about data breaches could face civil and criminal enforcement actions. She added that while the agency would weigh the challenges created by the variety of variables associated with a data breach, the enforcement division will take action where it judges companies violated their duties.

The large majority of the agency’s cases have fallen under the first two categories, and Avakian indicated a “significant disclosure failure” would be required to bring about charges. Nonetheless, she reiterated that firms must be aware of their responsibilities and involve law enforcement agencies like the FBI when it’s appropriate, rather than obscure any breach for fear of an investigation. Avakian’s comments underscored that the SEC isn’t simply scrutinizing a firm’s cybersecurity efforts ahead of a data breach; it will also be closely examining how a firm reacts once an incident has been uncovered.

The second event was the revelation in late March 2016 that the Manhattan U.S. Attorney’s Office and the FBI are investigating hackers who targeted several high-profile law firms – potentially with the intent of stealing confidential information for insider trading. It isn’t known what information, if any, was obtained during the breach, which occurred during the summer of 2015. This news followed several other high-profile data breaches at U.S. banks, retailers and health care organizations, which had prompted the FBI’s cyber division to issue an alert earlier in March that hackers are targeting law firms for purposes of insider trading.

The ongoing regulatory emphasis on cybersecurity should not come as a surprise, as the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) announced in September 2015 its second round of cybersecurity examinations would include additional testing of investment advisers and broker-dealers to assess the implementation of cybersecurity procedures and controls at their firms – potentially leading to increased enforcement actions in response to any weaknesses revealed. The SEC is also seeking to increase the number of RIA examiners by almost 20%, further evincing the ever-increasing scrutiny fund managers face. SEC Commissioner Luis Aguilar highlighted that the increasing expectations extend beyond the large investment advisers, in part, because the majority of targeted cyberattacks in 2014 were aimed at small and midsize businesses. Small companies and startups aren’t immune from cyberattacks or exempt from the responsibility to take measures to protect their clients.

Additionally, the SEC’s Enforcement Division announced in late April that it is bringing actions against firms that fail to protect client data pursuant to the Regulation S-P privacy rule. Andrew Ceresney, the director of the Enforcement Division, emphasized the SEC’s focus on cybersecurity, noting the number of recent cases brought by the division “relating to Reg S-P and failure to have policies and procedures relating to safeguarding information.” He warned that there would be others. To address the increasing focus on cybersecurity, the SEC is pushing to partner with an outside organization on adviser examinations and to increase use of data analytics to identify high-risk firms.

Separate from federal cybersecurity responsibilities, this is also an area ripe for state attorneys general. Most states have enacted data breach laws which have varying degrees of risk management expectations or best practices. These laws frequently include notice requirements not only to individuals impacted by a breach but also to state attorneys general and/or other state agencies.

Amid the environment of heightened scrutiny that emerged in 2015, fund managers must be aware of the expectation they will both be well-informed of their responsibilities and ensure they are in compliance. If that wasn’t already clear, the events so far in 2016 should act to remind all firms to regularly review the adequacy of their cybersecurity risk management controls and disclosure policies and practices, with an eye toward preventing, responding to and/or mitigating cyberattacks, including alerting clients to actual breaches and, where appropriate, disclosing potential cybersecurity risks.

Compare jurisdictions: BYOD: Bring Your Own Device

In common with many in-house lawyers, I have limited access to (and a limited budget for) resources and rely on receiving know-how from friends and contacts in private practice. Lexology is great as it provides a daily email with the headlines in all the areas of law that I am interested in (which are all relevant to me, as I was able to choose which areas I was interested in at registration), with links to articles from a wide variety of sources.

I tend to scroll through the daily email when I am having my lunch, reading the headlines and descriptions of the articles, and click on any items that are of interest to me - that way, I feel like I am kept 'in the loop' with legal developments.

In addition to the daily email, I find the articles themselves very helpful - they set out the legal principle but most importantly, they 'boil it down' to the practical implications. When I am doing legal research, I also find the archive search function very helpful.

I have recommended the service to quite a few friends who have also found it very helpful."